drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in phpbb2
Name: |
Mehrere Probleme in phpbb2 |
|
ID: |
DSA-925-1 |
|
Distribution: |
Debian |
|
Plattformen: |
Debian sarge |
|
Datum: |
Do, 22. Dezember 2005, 09:35 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3310
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3536
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3537 |
|
Applikationen: |
phpBB |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -------------------------------------------------------------------------- Debian Security Advisory DSA 925-1 security@debian.org http://www.debian.org/security/ Martin Schulze December 22nd, 2005 http://www.debian.org/security/faq - --------------------------------------------------------------------------
Package : phpbb2 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417 CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536 CVE-2005-3537 BugTraq IDs : 15170 15243 Debian Bugs : 35662 336582 336587
Several vulnerabilities have been discovered in phpBB, a fully featured and skinnable flat webforum,
The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2005-3310
Multiple interpretation errors allow remote authenticated users to inject arbitrary web script when remote avatars and avatar uploading are enabled.
CVE-2005-3415
phpBB allows remote attackers to bypass protection mechanisms that deregister global variables that allows attackers to manipulate the behaviour of phpBB.
CVE-2005-3416
phpBB allows remote attackers to bypass security checks when register_globals is enabled and the session_start function has not been called to handle a session.
CVE-2005-3417
phpBB allows remote attackers to modify global variables and bypass security mechanisms.
CVE-2005-3418
Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web scripts.
CVE-2005-3419
An SQL injection vulnerability allows remote attackers to execute arbitrary SQL commands.
CVE-2005-3420
phpBB allows remote attackers to modify regular expressions and execute PHP code via the signature_bbcode_uid parameter.
CVE-2005-3536
Missing input sanitising of the topic type allows remote attackers to inject arbitrary SQL commands.
CVE-2005-3537
Missing request validation permitted remote attackers to edit private messages of other users.
The old stable distribution (woody) does not contain phpbb2 packages.
For the stable distribution (sarge) these problems have been fixed in version 2.0.13+1-6sarge2.
For the unstable distribution (sid) these problems have been fixed in version 2.0.18-1.
We recommend that you upgrade your phpbb2 packages.
Upgrade Instructions - --------------------
wget url will fetch the file for you dpkg -i file.deb will install the referenced file.
If you are using the apt-get package manager, use the line for sources.list as given below:
apt-get update will update the internal database apt-get upgrade will install corrected packages
You may use an automated update by adding the resources from the footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge - --------------------------------
Source archives:
phpbb2_2.0.13+1-6sarge2.dsc Size/MD5 checksum: 783 84a0dab5af965cf6ff418c2b2383a9ee phpbb2_2.0.13+1-6sarge2.diff.gz Size/MD5 checksum: 64580 e644237009e5eff92b86f21a5f6f4cbe phpbb2_2.0.13+1.orig.tar.gz Size/MD5 checksum: 3340445 678d0cb0372e46402a472c510fb90d78
Architecture independent components:
phpbb2-conf-mysql_2.0.13-6sarge2_all.deb Size/MD5 checksum: 37474 4cbfd2fe1e336214a3defddeff55ce65 phpbb2-languages_2.0.13-6sarge2_all.deb Size/MD5 checksum: 2873096 f71e21b77d9f5bffa076a25d6687b4c2 phpbb2_2.0.13-6sarge2_all.deb Size/MD5 checksum: 525514 f88101af29bf00db9a8fdb264e35d891
These files will probably be moved into the stable distribution on its next update.
- --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-securitydists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDqmF8W5ql+IAeqTIRAma4AKCU6XUWusnHBhS/v+jJUcm6hNPN6gCePKaF 2Bpd+e2RN8NYv6DkkYUmJFg= =usra -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
|
|